[opensuse] Bash Vulnerability - Fix for 13.1?
All, I stumbled across the following bulletin regarding bash vulnerability: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen... What's the status of a patched version for 13.1? -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
It looks like the full SLES versions have a patch in QA at the moment: http://support.novell.com/security/cve/CVE-2014-6271.html So I would assume that oS will come soon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Sep 24, 2014 at 04:07:40PM -0500, Christopher Myers wrote:
It looks like the full SLES versions have a patch in QA at the moment: http://support.novell.com/security/cve/CVE-2014-6271.html So I would assume that oS will come soon?
It is waiting only for the review team. SR 251834 Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wednesday, September 24, 2014 11:18:41 PM Marcus Meissner wrote:
On Wed, Sep 24, 2014 at 04:07:40PM -0500, Christopher Myers wrote:
It looks like the full SLES versions have a patch in QA at the moment: http://support.novell.com/security/cve/CVE-2014-6271.html So I would assume that oS will come soon? It is waiting only for the review team.
SR 251834
Ciao, Marcus
It has been already patched. Updated to bash-4.2-68.4.1 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/24/2014 04:03 PM, David C. Rankin wrote:
All,
I stumbled across the following bulletin regarding bash vulnerability:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
What's the status of a patched version for 13.1?
Per the security blog, you can confirm that the vulnerability is closed with: $ ( env x='() { :;}; echo vulnerable' bash -c "echo this is a test" ) I just executed the test in a subshell to prevent adding the function to my current session. If you are vulnerable, you will see: vulnerable this is a test After upgrading bash you will see the vulnerability has been closed: bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello, On Wed, 24 Sep 2014, David C. Rankin wrote:
On 09/24/2014 04:03 PM, David C. Rankin wrote:
I stumbled across the following bulletin regarding bash vulnerability:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environmen...
What's the status of a patched version for 13.1?
Per the security blog, you can confirm that the vulnerability is closed with:
$ ( env x='() { :;}; echo vulnerable' bash -c "echo this is a test" )
JFTR: I'm building bash for 12.1 and some more, not sure if what others that build for 12.1, .2 etc. are already patched (and keep it updated for now). $ ( env x='() { :;}; echo vulnerable' bash -c "echo this is a test" ) bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test $ rpm -q bash bash-4.2-245.1.x86_64 $ grep PRETTY /etc/os-release PRETTY_NAME="openSUSE 12.1 (Asparagus) (x86_64)" $ rpm -q --changelog bash | head * Thu Sep 18 2014 werner@suse.de - Add bash-4.2-CVE-2014-6271.patch to fix CVE-2014-6271, the unexpected code execution with environment variables (bnc#896776) [..] Repo: http://download.opensuse.org/repositories/home:/dnh/ It's just a link to Base:System. Feel free to PM me though, -dnh -- "What, you don't think "insmod emacs" is a good idea?" -- Joe Moore -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Christopher Myers -
David C. Rankin -
David Haller -
Marcus Meissner -
Ricardo Chung